Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Ad Fraud Malware Updating Flash on Infected PCs

Ad fraud malware is one of the more profitable specialties in the cybercrime world, and the attackers who use it often have to adapt their tactics in order to keep the money rolling in. One of the tactics that they have adopted in recent months is that of updating the version of Flash that’s installed on an infected machine.

Ad fraud malware is one of the more profitable specialties in the cybercrime world, and the attackers who use it often have to adapt their tactics in order to keep the money rolling in. One of the tactics that they have adopted in recent months is that of updating the version of Flash that’s installed on an infected machine.

This technique is not something unique to ad fraud malware. Attackers have been known to patch the vulnerabilities they exploited to get on to a given machine as a way to keep other hackers out and some malware strains have been seen doing this, too. But the motivation for doing this likely is somewhat different for criminals using ad fraud malware. In their case, they’re not so much interested in the cleanliness of the machine as they are in the ads a user sees being displayed correctly.

That’s where the move to update Flash comes in.

Flash is required to play many video ads in browsers, and most modern browsers won’t run Flash content if the version that’s installed is too far out-of-date. This is designed to protect users against exploits targeting older Flash versions, but it also cuts into the profits of ad fraud crews that rely on fraudulent views or clicks on ads to make money. A malware researcher who uses the name Kafeine said he has seen versions of the Kovter ad fraud malware updating Flash to the most recent version in order to make sure video ads will play.

Ad fraud networks are a serious problem for site owners and advertisers, both of whom lose money when bots are used to click on or view ads.

“Modern ad-fraud bots don’t directly click on ads as many may expect. Instead they use low quality PPC exchanges to route their traffic to publishers who pay these exchanges for traffic. Once the bot lands on the publisher’s site, it automatically defrauds all the ad impressions on the site (and in some cases the video ads as well),” Sergei Frankoff of security firm Sentrant wrote in an explanation of how such networks operate.

Ad fraud malware such as Kovter and Bedep have close relationships with exploit kits, namely Angler and Fiesta, both of which are used often to drop these payloads. A group of attackers using Kovter from behind some domains in China recently began dropping the malware from the Nuclear exploit kit, a change from their previous use of Fiesta, according to Brad Duncan, a security researcher at Rackspace and handler at the SANS Internet Storm Center.

That group uses domains for the exploit kit that change several times per day and uses the familiar recipe of compromised web sites and injected javascript in order to infect users.

“During a full infection chain, the traffic follows a specific chain of events. The compromised website has malicious javascript injected into the page that points to a URL hosted on a BizCN-registered gate domain. The gate domain redirects traffic to Nuclear EK on 107.191.63.163. If a Windows host running the web browser is vulnerable, Nuclear EK will infect it,” Duncan wrote.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.